Skip to content

Commit b79a0d7

Browse files
t-contrerast-contreras
committed
total_replay_tool
1 parent e651fe9 commit b79a0d7

File tree

1 file changed

+29
-0
lines changed

1 file changed

+29
-0
lines changed

total_replay/readme.md

Lines changed: 29 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -132,6 +132,35 @@ From there, you can choose whether to replay only detection GUIDs, only analytic
132132
133133
C. TOTAL-REPLAY downloads the required Attack Data each time you execute or replay data during detection testing or development. To help reduce disk space usage, the tool generates a cached .yml file for every downloaded dataset. You can then use the `local_data_path` parameter to replay the cached data, allowing you to avoid downloading the same Attack Data again.
134134
135+
### Other
136+
137+
or replaying captured datasets or event logs during detection development or testing outside of the Splunk Security Content or Splunk Attack Data GitHub repositories, we recommend using the built-in replay.py feature provided by either Splunk Attack Range or Attack Data.
138+
139+
If you have multiple datasets to replay and your metadata matches the format required by TOTAL-REPLAY for caching downloaded datasets, you can recreate that format and use the `local_data_path` feature to replay the data directly from the cache.
140+
141+
Below is an example of the cached .yml file generated by TOTAL-REPLAY after replaying datasets:
142+
143+
```
144+
analytic_story:
145+
- Ransomware
146+
attack_data_link: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/conti/conti_leak/windows-sysmon_7z.log
147+
attack_data_output_file_path: /Users/tecontre/Research/lab/attack_range/total_replay/output/2025-11-18/detection_name_replay_c2ffd320-bcd3-4d88-9d12-57bdd30f6545/01d29b48-ff6f-11eb-b81e-acde48001123/windows-sysmon_7z.log
148+
attack_data_source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
149+
attack_data_sourcetype: XmlWinEventLog
150+
description: The following analytic detects the execution of 7z or 7za processes with
151+
command lines pointing to SMB network shares. It leverages data from Endpoint Detection
152+
and Response (EDR) agents, focusing on process names and command-line arguments.
153+
This activity is significant as it may indicate an attempt to archive and exfiltrate
154+
sensitive files to a network share, a technique observed in CONTI LEAK tools. If
155+
confirmed malicious, this behavior could lead to data exfiltration, compromising
156+
sensitive information and potentially aiding further attacks.
157+
id: 01d29b48-ff6f-11eb-b81e-acde48001123
158+
mitre_attack_id:
159+
- T1560.001
160+
name: 7zip CommandLine To SMB Share Path
161+
162+
```
163+
135164
## Author
136165
137166
* [Teoderick Contreras](https://www.linkedin.com/in/teoderickc/)

0 commit comments

Comments
 (0)